httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Rob Hartill)
Subject Re: 1.2b3 release
Date Mon, 23 Dec 1996 21:29:54 GMT
Alexei Kosut wrote:

>I haven't seen any response to my patch to fix the overrides in
><Files> sections.

I haven't used <Files> so would rather not comment. Actually I once
did try using Files but it didn't work the way I wanted, i.e. to act
on filenames after Multiviews had chosen them.

<Files *.de>
	ExpiresActive off

>The multiple-slash thing defintely needs fixing before 1.2.0, since it
>really is a major security hole (am I the only one who realizes that?

is there a proposed fix ?

Lot's of people expect multiple /s so I suppose the only solution is to
reject requests if a file exists and the URL part up to the filename
contains //+

I've just realised that I have auth checks inside <Location /foo> type
blocks that fail to kick in when //s are added. Ouch++


View raw message